tttls1.3 0.3.0 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd89bebc90f5379d37e4fd3d1397168b6df9fcbfe5d1ad05f3ae852ba7d071d1
-  data.tar.gz: 45372c096b46a5c37c9e05d22dfad8d53e24278d5d195b1b7305aa86b49bdfe9
+  metadata.gz: 7245602faa9087e83b3e47484aa88dc368b153e98c76fd00e36ebb1a863af6ef
+  data.tar.gz: c7362f39fc26763f712cdf61a29b3796686c50034d2a6431788d8dbf7dd505c9
 SHA512:
-  metadata.gz: 6b79f03e7eff3d7f2e47e0ca715ee9559c8c2a04f3f6c4869b4c8b915905f8934bb6cf4dd776ae74bdc3e7d9c97dd3a8ee77e46298073bdffd70fc936a954421
-  data.tar.gz: c43d3629de31d6ebd8f86d0c7a700d85a9f6e53be351eb13062c7ad0af9d1b8acc1c685f95a48e7d320b22ad1cd83979c4de3b57f07245060d6cc0dacdcca482
+  metadata.gz: 33168ef27007f9e6d73197ed3e1bae9b58dadfdf3042e732ddc6a05913db0aad48fb653ea7b7222716d70ebe42739f2d9dddee0ec75ee45eb33daba4be6f0229
+  data.tar.gz: d05c73a49e0f5d568785c3b6af3d9bc3c286b35f1110c5f31860f8cf788a9f9e019112fd8647394672c279808e20c4f02d438a58c44f5bab9af1d5fb851ef41f

data/.github/workflows/ci.yml

@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.7.x', '3.0.x', '3.1.x']
+        ruby-version: ['3.1', '3.2', '3.3']
     steps:
       - uses: actions/checkout@v3
       - uses: docker://thekuwayama/openssl:latest
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: ${{ matrix.ruby-version }}
       - name: Install dependencies
         run: |
           gem --version

data/.rubocop.yml

@@ -1,6 +1,9 @@
 AllCops:
   TargetRubyVersion: 2.7
 
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
 Style/ConditionalAssignment:
   Enabled: false
 

data/.ruby-version

@@ -1 +1 @@
-3.1.2
+3.2.2

data/Gemfile

@@ -3,6 +3,7 @@
 source 'https://rubygems.org'
 
 gem 'ech_config', '~> 0.0.3'
+gem 'hpke'
 gem 'logger'
 gem 'openssl'
 gem 'rake'

data/README.md

@@ -104,8 +104,8 @@ tttls1.3 client is configurable using keyword arguments.
 | `:check_certificate_status` | Boolean | false | If needed to check certificate status, set true. |
 | `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
 | `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
-| `:ech_config` | ECHConfig | nil | ECHConfig to use ECH. If needed to use ECH, set TTTLS13::STANDARD\_CLIENT\_ECH_HPKE\_SYMMETRIC\_CIPHER\_SUITES, for example. See [ech_config](https://github.com/thekuwayama/ech_config). |
-| `:ech_hpke_cipher_suites` | Array of ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite | nil | If needed to use ECH, set client preference HPKE cipher suites. |
+| `:ech_config` | ECHConfig | nil | ECHConfig to use ECH. See [ech_config](https://github.com/thekuwayama/ech_config). |
+| `:ech_hpke_cipher_suites` | Array of ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite | nil | If needed to use ECH, set client preference HPKE cipher suites. For example, you can set TTTLS13::STANDARD\_CLIENT\_ECH_HPKE\_SYMMETRIC\_CIPHER\_SUITES. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |

data/example/README.md

@@ -13,7 +13,7 @@ The examples run as follows:
 ```bash
 $ ruby https_client.rb
 
-$ ruby https_client.rb localhost:4433
+$ ruby https_client.rb https://localhost:4433
 ```
 
 Note that `https_server.rb` requires PEM files of certificate and private key.

data/example/helper.rb

@@ -4,6 +4,7 @@ $LOAD_PATH << __dir__ + '/../lib'
 
 require 'socket'
 require 'time'
+require 'uri'
 require 'webrick'
 
 require 'http/parser'
@@ -61,3 +62,24 @@ def recv_http_response(client)
   parser << client.read until client.eof?
   buf
 end
+
+def transcript_htmlize(transcript)
+  m = {
+    TTTLS13::CH1 => 'ClientHello',
+    TTTLS13::HRR => 'HelloRetryRequest',
+    TTTLS13::CH => 'ClientHello',
+    TTTLS13::SH => 'ServerHello',
+    TTTLS13::EE => 'EncryptedExtensions',
+    TTTLS13::CR => 'CertificateRequest',
+    TTTLS13::CT => 'Certificate',
+    TTTLS13::CV => 'CertificateVerify',
+    TTTLS13::SF => 'Finished',
+    TTTLS13::EOED => 'EndOfEarlyData',
+    TTTLS13::CCT => 'Certificate',
+    TTTLS13::CCV => 'CertificateVerify',
+    TTTLS13::CF => 'Finished'
+  }.map { |k, v| [k, '<details><summary>' + v + '</summary>%s</details>'] }.to_h
+  transcript.map do |k, v|
+    format(m[k], TTTLS13::Convert.obj2html(v.first))
+  end.join('<br>')
+end

data/example/https_client.rb

@@ -3,17 +3,17 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
-socket = TCPSocket.new(hostname, port)
+socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
 

data/example/https_client_using_0rtt.rb

@@ -3,9 +3,9 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
@@ -15,7 +15,7 @@ process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:ticket] = nst.ticket
-  settings_2nd[:resumption_main_secret] = rms
+  settings_2nd[:resumption_secret] = rms
   settings_2nd[:psk_cipher_suite] = cs
   settings_2nd[:ticket_nonce] = nst.ticket_nonce
   settings_2nd[:ticket_age_add] = nst.ticket_age_add
@@ -35,14 +35,15 @@ succeed_early_data = false
   # Subsequent Handshake:
   settings_2nd
 ].each_with_index do |settings, i|
-  socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, **settings)
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
 
   # send message using early data; 0-RTT
   client.early_data(req) if i == 1 && settings.include?(:ticket)
   client.connect
   # send message after Simple 1-RTT Handshake
   client.write(req) if i.zero? || !client.succeed_early_data?
+
   print recv_http_response(client)
   client.close unless client.eof?
   socket.close

data/example/https_client_using_ech.rb

@@ -5,16 +5,15 @@ require_relative 'helper'
 HpkeSymmetricCipherSuite = \
   ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
-hostname = 'crypto.cloudflare.com'
-port = 443
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname, '/cdn-cgi/trace')
+req = simple_http_request(uri.host, uri.path)
 
 rr = Resolv::DNS.new.getresources(
-  hostname,
+  uri.host,
   Resolv::DNS::Resource::IN::HTTPS
 )
-socket = TCPSocket.new(hostname, port)
+socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
@@ -23,7 +22,7 @@ settings = {
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
 

data/example/https_client_using_grease_ech.rb

@@ -5,11 +5,10 @@ require_relative 'helper'
 HpkeSymmetricCipherSuite = \
   ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
-hostname = 'crypto.cloudflare.com'
-port = 443
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
 
-socket = TCPSocket.new(hostname, port)
+socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
@@ -17,10 +16,9 @@ settings = {
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 
 print client.retry_configs if client.rejected_ech?
-
 client.close unless client.eof?
 socket.close

data/example/https_client_using_grease_psk.rb

@@ -5,13 +5,12 @@ require_relative 'helper'
 HpkeSymmetricCipherSuite = \
   ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
-hostname = 'crypto.cloudflare.com'
-port = 443
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname, '/cdn-cgi/trace')
+req = simple_http_request(uri.host, uri.path)
 
 rr = Resolv::DNS.new.getresources(
-  hostname,
+  uri.host,
   Resolv::DNS::Resource::IN::HTTPS
 )
 settings_2nd = {
@@ -37,16 +36,8 @@ settings_1st = {
   alpn: ['http/1.1'],
   process_new_session_ticket: process_new_session_ticket,
   ech_config: rr.first.svc_params['ech'].echconfiglist.first,
-  ech_hpke_cipher_suites: [
-    HpkeSymmetricCipherSuite.new(
-      HpkeSymmetricCipherSuite::HpkeKdfId.new(
-        TTTLS13::Hpke::KdfId::HKDF_SHA256
-      ),
-      HpkeSymmetricCipherSuite::HpkeAeadId.new(
-        TTTLS13::Hpke::AeadId::AES_128_GCM
-      )
-    )
-  ],
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
@@ -56,10 +47,11 @@ settings_1st = {
   # Subsequent Handshake:
   settings_2nd
 ].each do |settings|
-  socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, **settings)
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
   client.connect
   client.write(req)
+
   print recv_http_response(client)
   client.close unless client.eof?
   socket.close

data/example/https_client_using_hrr.rb

@@ -3,19 +3,20 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
-socket = TCPSocket.new(hostname, port)
+socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1']
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
+
 print recv_http_response(client)
 client.close unless client.eof?
 socket.close

data/example/https_client_using_hrr_and_ech.rb

@@ -5,16 +5,15 @@ require_relative 'helper'
 HpkeSymmetricCipherSuite = \
   ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
-hostname = 'crypto.cloudflare.com'
-port = 443
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname, '/cdn-cgi/trace')
+req = simple_http_request(uri.host, uri.path)
 
 rr = Resolv::DNS.new.getresources(
-  hostname,
+  uri.host,
   Resolv::DNS::Resource::IN::HTTPS
 )
-socket = TCPSocket.new(hostname, port)
+socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
@@ -24,9 +23,10 @@ settings = {
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
+
 print recv_http_response(client)
 client.close unless client.eof?
 socket.close

data/example/https_client_using_hrr_and_ticket.rb

@@ -3,9 +3,9 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
@@ -34,10 +34,11 @@ settings_1st = {
   # Subsequent Handshake:
   settings_2nd
 ].each do |settings|
-  socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, **settings)
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
   client.connect
   client.write(req)
+
   print recv_http_response(client)
   client.close unless client.eof?
   socket.close

data/example/https_client_using_status_request.rb

@@ -3,10 +3,11 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
+socket = TCPSocket.new(uri.host, uri.port)
 process_certificate_status = lambda do |res, cert, chain|
   puts 'stapled OCSPResponse: '
   puts res.basic.status.pretty_inspect unless res.nil?
@@ -14,15 +15,13 @@ process_certificate_status = lambda do |res, cert, chain|
 
   TTTLS13::Client.softfail_check_certificate_status(res, cert, chain)
 end
-
-socket = TCPSocket.new(hostname, port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   check_certificate_status: true,
   process_certificate_status: process_certificate_status
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
 

data/example/https_client_using_ticket.rb

@@ -3,9 +3,9 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
@@ -33,10 +33,11 @@ settings_1st = {
   # Subsequent Handshake:
   settings_2nd
 ].each do |settings|
-  socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, **settings)
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
   client.connect
   client.write(req)
+
   print recv_http_response(client)
   client.close unless client.eof?
   socket.close

data/example/https_server.rb

@@ -30,7 +30,20 @@ Etc.nprocessors.times do
         parser.on_message_complete = lambda do
           if !parser.http_method.nil?
             logger.info 'Receive Request'
-            server.write(simple_http_response('TEST'))
+            html = <<HTML
+  <!DOCTYPE html>
+  <html>
+    <head>
+      <meta charset="UTF-8" />
+      <title>tttls1.3 test server</title>
+    </head>
+    <body>
+  %s
+    </body>
+  </html>
+HTML
+            html = format(html, transcript_htmlize(server.transcript))
+            server.write(simple_http_response(html))
             server.close
           else
             logger.warn 'Not Request'